agenttesla | 0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909

General

Target

0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe
Size

696KB
MD5

2be3062f2532fe1cc25914a16a681603
SHA1

f1a0580ac3605fe98459a5cbef4e19a584818b6e
SHA256

0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909
SHA512

40c4aeeeab40c212d0a6ae3acfbed92e7032acffd86ffe0a0bf9a728a760bf4597bf5803db1f8e8cf0143d78f6e182a81b2c26565edaed9f4c6ff77efdb672ae
SSDEEP

12288:0P0R0MuixaBFnMf8FcDSA5B6Uh7S9RDSFgYCSZU+mYLOUQcaTPJSz2E/xEVKrkR:0sOMuLFQ3DnVWN6Z/Q3TPdqa

Score

10^/10

agenttesla keylogger spyware stealer trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.thanhancompony.com
Port:
587
Username:
[email protected]
Password:
aSkIhV^3

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.thanhancompony.com
Port:
587
Username:
[email protected]
Password:
aSkIhV^3
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs

resource	yara_rule
behavioral2/memory/1476-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_EXE_Packed_GEN01

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs

resource	yara_rule
behavioral2/memory/1476-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs

resource	yara_rule
behavioral2/memory/1476-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/1476-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/1476-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs

resource	yara_rule
behavioral2/memory/1476-11-0x0000000000400000-0x0000000000440000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2408 set thread context of 1476	2408	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1476	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe
1476	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1476	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1476	2408	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	90
PID 2408 wrote to memory of 1476	2408	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	90
PID 2408 wrote to memory of 1476	2408	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	90
PID 2408 wrote to memory of 1476	2408	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	90
PID 2408 wrote to memory of 1476	2408	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	90
PID 2408 wrote to memory of 1476	2408	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	90
PID 2408 wrote to memory of 1476	2408	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	90
PID 2408 wrote to memory of 1476	2408	0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe	90

C:\Users\Admin\AppData\Local\Temp\0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe
"C:\Users\Admin\AppData\Local\Temp\0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe
  "C:\Users\Admin\AppData\Local\Temp\0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

3

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0fe29888e7b2862c3571b9e1e70b930d973f8efc516b972bea7811dcc98ec909.exe.log

Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
memory/1476-11-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1476-20-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/1476-19-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/1476-18-0x0000000005F80000-0x0000000005FD0000-memory.dmp

Filesize
320KB

Download
memory/1476-17-0x0000000005150000-0x00000000051B6000-memory.dmp

Filesize
408KB

Download
memory/1476-16-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/1476-15-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/2408-5-0x0000000005A90000-0x0000000005A9A000-memory.dmp

Filesize
40KB

Download
memory/2408-9-0x0000000007060000-0x00000000070E2000-memory.dmp

Filesize
520KB

Download
memory/2408-10-0x00000000096A0000-0x000000000973C000-memory.dmp

Filesize
624KB

Download
memory/2408-8-0x0000000005E10000-0x0000000005E22000-memory.dmp

Filesize
72KB

Download
memory/2408-7-0x0000000005CE0000-0x0000000005CEE000-memory.dmp

Filesize
56KB

Download
memory/2408-14-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download
memory/2408-6-0x0000000005CB0000-0x0000000005CD0000-memory.dmp

Filesize
128KB

Download
memory/2408-0-0x0000000000F60000-0x0000000001010000-memory.dmp

Filesize
704KB

Download
memory/2408-4-0x0000000005BB0000-0x0000000005BC0000-memory.dmp

Filesize
64KB

Download
memory/2408-3-0x00000000059D0000-0x0000000005A62000-memory.dmp

Filesize
584KB

Download
memory/2408-2-0x0000000006070000-0x0000000006614000-memory.dmp

Filesize
5.6MB

Download
memory/2408-1-0x0000000074AE0000-0x0000000075290000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads